QATAR Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Dean Jaloudi and Jehan Saleh, GLA & Company
• the right to withdraw consent; • the right to data portability; and
nism that allows individuals to seek redress for data protection issues. Article 26 grants individuals the right to file complaints with the competent department if they believe their per - sonal data has been processed unlawfully. Such department will then investigate, and can issue binding corrective decisions to rectify breaches. If a violation is confirmed, the competent depart - ment may order the data controller or processor to correct the breach within a specified time - frame. If the controller fails to comply, further regulatory actions may be taken. While the PDPPL does not outline a class action process, individuals retain the right to pursue civil claims in Qatari courts for damages result - ing from data breaches. Articles 23–25 impose fines of up to QAR5 million for non-compliance with specific PDPPL provisions, reinforcing the financial accountability of data controllers and processors. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation The authors are not aware of any legislation in Qatar with respect to IOT services. 3.2 Interaction of Data Regulation and Data Protection The PDPPL is closely linked to other Qatari laws regulating cybersecurity and digital trans - actions. The NCSA enforces cybersecurity laws and plays a role in ensuring personal data pro - tection in AI applications and IOT services. The Telecommunications Law and Cybercrime Law
• the right to not be subjected to a decision that is based solely on automated processing. Specific Overview of the Health Sector and Private Health Data Under Article 16 of the PDPPL, private health data includes personal information related to: • an ethnic group; • children; • a physical and mental health or state; • treatment; • health security; • cause of death; • socio-economic parameters regarding health and wellness; • historical healthcare backgrounds such as diseases or any related information; and • personal information collected to provide health services and opinions. The consent of individuals, children’s guardians or any individual whose medical coded clinical data is being processed must first be obtained explicitly or by confirmation. 2.2 Recent Case Law As of January 2025, Qatar has no reported sig - nificant case law or ongoing litigation specifically concerning data protection or AI comparable with the jurisprudence of the Court of Justice of the European Union (CJEU) regarding Articles 82 and 83 of the GDPR. However, there have been recent regulatory developments, including the introduction of new AI guidelines. 2.3 Collective Redress Mechanisms Collective redress mechanisms are not outlined under the PDPPL. However, the PDPPL does provide a complaint and enforcement mecha -
350 CHAMBERS.COM
Powered by FlippingBook